Re: PFkey update to get recent racoon working on NetBSD

[VANHULLEBUS Yvan <vanhu%NetBSD.org@localhost>]

On Fri, Dec 18, 2009 at 03:12:36PM +0100, Daniel Zebralla (A.P.E. IT-Security - 
Hard- & Software Development) wrote:
> Hi Yvan,

Hi all.


> I've seen your mail at [1] that there were recent changes in racoon
> that need equal changes to the kernek's PFkey interface.

Yep.


> I'm currently experiencing this problem with a recent racoon (taken
> from NetBSD-current CVS) and a NetBSD 5.0 userland,
> the problem that I see are repeatedly created phase2 SA entries as
> described in [2] by Brett Lymn.
>

> Do you have any patches in this direction already, or can you
> outline the work that needs to be done? 

Not actually, I still didn't found time to finish minor fixes and tou
port it to NetBSD....
I'll be on hollidays at the end of the week, I may have time to do at
least most of that job in the next weeks.....


> Do you have files & revisions (or URLs to source-changes mails) for
> FreeBSD?

Not so easy to track: the best way may be to get the diff
between..... two patches !
First one is the "old" patchset maintained for older versions,
available at http://people.freebsd.org/~vanhu/NAT-T (use only patches
without TEST or experimental, they will be the version closer to
NetBSD's ones).

Second patchset is commit on FreeBSD's HEAD:
http://svn.freebsd.org/viewvc/base?view=revision&revision=194062
which mostly includes the "correct" version (well, there are still a
few known bugs in specific situations, I'll have to make some test
setups to be able to hunt them).


If someone starts porting that to NetBSD (don't forget that NetBSD
still ships both IPSEC and FAST_IPSEC, work will need to be done
twice....), please let me know, that may avoid 2 guys doing the same
job at the same time, and I can also give some hints, code review,
etc....



Yvan.